Web Security: add rel=noopener to external links

Don't touch my tabs! (rel=noopener) is a Firefox add-on that adds rel="noopener" to external links on sites open in Firefox automatically. Noopener_by_default is a userscript that does the same for links.

Did you know that sites that you load by clicking on links may manipulate the page the link was posted on?

Imagine two HTML pages: index.html the first page with a link pointing to omg.html. When you click on the omg.html page on index.html, that page gets open in the browser in a new tab if the target blank attribute is added to the link (the latter is a requirement for this to work).

The page omg.html may use the window.opener property to manipulate content on index.html. Since this happens in the background, it often happens without the user noticing a thing about it.

In worst case, this may be used to display a fake login page on the source web page to phish user data.

The link attribute rel="noopener" will set the window.opener property to null, so that target sites won't be able to manipulate the originating page.

You are probably wondering why browsers are not simply adding rel="noopener" to all links that open in new tabs and be done with it. Browser makers state that this will break certain sites and services on the Internet.

You can test it for yourself on this web page. Click on the first or second link on the page to get started. It opens a new page in a new tab. When you go back afterwards to the originating page, you will see that it has been modified by the target page.

Solutions

There are a couple of solutions that prevent this type of manipulation:

Middle-click on links to open them instead of left-clicking on them.

Install the Firefox add-on Don't touch my tabs! (rel=noopener). It adds the rel="noopener" attribute to all external links, but not same-origin links. Please note that this works from Firefox 52 on only, as this will be the version of Firefox that supports rel="noopener).

Side note: We add rel="noopener" to links here on Ghacks so that you are safe from this when clicking on links here on the site.

Summary

Article Name

Web Security: add rel=noopener to external links

Description

The guide explains how to add the link attribute rel="noopener" to links to improve the security of your browsing session.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

“Please note that this works from Firefox 52 on only, as this will be the version of Firefox that supports rel=”noopener).”

Thanks Martin for mentioning this and a pity the developer of the ‘Don’t touch my tabs! (rel=noopener)’ Firefox add-on doesn’t : I had tested the add-on with Firefox 50.1 and was surprised to notice on the test page above mentioned that it was inefficient…

Users of the famous ‘Tab Mix Plus’ Firefox add-on can limit the risks of links that uses target=”_blank” by checking the add-on’s setting ‘Options / Links / Open links with a target attribute in current tab’

“just fine” – JUST FINE you say??! Sorry that it doesn’t bring you a coffee every time it clears window.opener! xD

Kidding aside, my script is a lot more efficient than adding a parameter to every link on every page, of which you probably won’t click 99% on anyway, AND you can even make it slightly faster if you remove/comment the console.warn() line. But since that is a negligible improvement and because some sites can break, it’s probably preferable to have a console output if you need to troubleshoot a broken page. And it should work in every browser and version that supports userscripts.

@earthling … I was searching for something less formal than “it works” :) … Is “it does the job” more pleasant to your urban ears?!

I note “you can even make it slightly faster if you remove/comment the console.warn() line” — I won’t remove it for the reasons you mention but it’s good to know it wouldn’t stop the script from running… just fine. LOL!

I’d love to know what itches you with the “just fine’ wording, in order to improve my basics of “English language and literature in the context of a new era and correlative cultures” …

If I asked your girlfriend “how is the sex with Tom?” and she would answer “well, he performs just fine.”, would your urban ears like to hear THAT? :)

But of course I was just joking because I know you like to joke around and you just gave me the perfect pitch to make a funny point and give me an excuse to explain that my script is basically the most efficient and best solution to date to deal with the problem at hand here IMHO (apart from blocking JS all together ofc). You know, lighten up the mood a bit since this is a really fucked up problem.

LOL, now the smarty-pants shows up. It probably is but only because you don’t have console output that way, or if you add it you would have console output ALL THE TIME!! Not the same, sis! I’m customer-friendly, you know?! I help people with troubleshooting! xD

@earthling, I was just wondering because as a Frenchman I miss English nuances sometimes. I know it was for a smile and that’s great but in between a laugh and a smile are often nested a reference to something I missed.

If a lady mentioned “just fine” to resume a night’s odyssey with me I might indeed ask myself “not better than that?” … never heard anything of the sort when it’d rather be ‘Oh James, you are the king of the divan” (“James” when her fantasy is sacrificing her body to a secret agent in order to protect Mother Homeland!).

Enough of my privacy- Your script does it and the WebConsole witnesses ir as well. That gives you the right to pay me a coffee, earthling. Congratulations!

I don’t get it. Why was this even possible in the first place ? What are legitimate uses for this functionality ?

///

“There are a couple of solutions that prevent this type of manipulation:

– Middle-click on links to open them instead of left-clicking on them.”

Take that, you multiple tabs nay-sayers! I middle click almost everything. I started a decade ago, partly because I prefer it that way in many cases and partly because I knew some web context is passed through a left click that is not passed through middle click. I think. That was a long time ago.

Nah … not me. I haven’t played an online game since .. ever. Used to be the life of the LAN party back in the late last millennium. Last game I played was when I bought my current machine in Dec 2011 …. it was five years ago in January and I wasted a month playing Skyrim .. eventually took an arrow to the knee

It’s still installed, and I have a half dozen saved game points. I maxed out on a half dozen skills (archery, light armor, beauty, stealth, one handed weapons, make-up, cooking, ironing) and also lollied up to the max on extras such as all the archery specials. It also now takes me (exponentially) longer and longer to gain points that I’m currently at something stupid like a weeks solid play to level up one. Last save point is Jan 12th 2014 .. I guess I must have revisited it 3 years ago. January is holidays time, so I guess I was bored, which is atypical this time of year for me.

Oh yeah — the good old quake days! I still play Quake Live (on steam) nowadays sometimes, with the old movement and everything. It just never gets old. Probably my all-time favorite game ever. Was never too much into RPG games so all those titles don’t ring a bell for me. I was mostly into FPS games, but I also loved games like Commandos, Warcraft III, the earlier Tomb Raider games and Magic the Gathering. Today I only still play Dota 2 fairly regularly.

LOL, totally missed that, haha! Beauty seemed weird, must have skipped over the rest of the list at some point because I never played Skyrim and all those details didn’t mean anything to me. To be fair, cooking was a thing in WoW, and ironing could just be a weird wording for doing things with Iron, you know … forging. Make-up should have given the joke away but yeah I totally missed it, unfortunately. I used to be pretty good with spotting jokes but then I took an arrow to the knee.

@Pointer and @Pants – i don’t know why i didn’t think to try it out myself knowing i checked the website out earlier, talk about a brain fart, i was tired………. Anyway, i tested it out and it works, right clicking and selecting open in new tab works just like middle clicking. You should put that in the article Martin as not everybody uses a mouse.

NoScript users can also fix it by adding a script surrogate. Though NS users are protected if scripts are disabled, they are not with scripts enabled unless they create the following about:config prefs as strings:

And that’s it. Thanks Barbaz, moderator on NoScript’s forum, for this tip. I don’t know if NoScript will add this surrogate by default in the next version, do nothing, or if there will be a more subtle thing than what all current solutions do which is blocking the window.opener feature preventing good sites from using it too.

The issue occurred when I tried to actually ‘check out’ and purchase an item via PP (from ebay IIRC)

As it was a “critical” moment I didn`t make notes of the error unfortunately. When I was redirected to a different page it had a red banner at the top.

I went back a page, deactivated the GM script and then was able to chack out and pay normally, without error.

This may not be an issue for anyone else, it may have been a coincidence or a specific issue due to my setup – but just wanted to make a note of it publically in case anyone else noticed the same behaviour.

I believe all incidents are worth being mentioned. I note your experience and will have it in mind next time I operate a transaction with PayPal. I’d love to test immediately but I have no purchase in view. Donating to Ghacks has been done for this year. Gosh, where could I spend a few bucks for testing a possible PayPal transaction issue with earthling’s ‘Clear window.opener’ script? :)

Seriously if the issue is confirmed then it’ll be an exit for the script. Of course the opinion of the script’s developer, earthling, is more than ever welcomed.

“Seriously if the issue is confirmed then it’ll be an exit for the script.” Just add paypal to the list of excluded domains in Greasemonkey. No need to kick the script just because one site doesn’t work.

“Don’t nullify window.opener if same origin” Feel free to change the script to fit your needs

“Which doesn’t mean your script cannot be improved, right?” I’m not convinced that it would be an improvement. You can’t just assume that same origin is always safe. I’ve seen some truly mind-blowing vulnerabilities and exploits, and based on that I personally am certainly not gonna make that assumption. As for the reasoning behind that developers decision, the sentence you quoted is listed under “But won’t this ‘break my internet’?” so it’s pretty clear why he implemented it the way he did. ie. security wasn’t his main concern. I mean, I don’t blame him, nobody likes zero-star reviews by people who can’t watch funny cat videos anymore. But my script does exactly what I want it to do and I don’t plan to “improve” it.

On that test page is mentioned as well, ” For older browsers, you could use rel=noreferrer which also disables the Referer HTTP header, or the following JavaScript work-around which potentially triggers the popup blocker: var otherWindow = window.open(); otherWindow.opener = null; otherWindow.location = url; ”

Hence, as a plain-basic-illiterate wise guy I used your Clear window.opener script for it’s frame and replaced the script with the one above, leading to :

Well, your script doesn’t work because ‘url’ is never defined. And you’re probably lucky that it’s broken because you just created yourself a window.open bomb xD Try replacing url with a real url in quotes (otherWindow.location = “https://www.google.fr”) and see what happens ;) I think FF has some protections to prevent too many window.open() calls, but idk if that also protects against nuking yourself with a GM script.

It’s not “my” script! As I wrote above I simply copied it from https://mathiasbynens.github.io/rel-noopener/ … Anyway it was for testing on that testing page only. Removed. But it is mentioned : ” For older browsers, you could use rel=noreferrer which also disables the Referer HTTP header, or the following JavaScript work-around which potentially triggers the popup blocker: var otherWindow = window.open(); otherWindow.opener = null; otherWindow.location = url; ”

So I don’t understand and I won’t try to given I know nothing in scripting.

I only wanted to explain that those lines of code don’t work when used in a GM script and that you almost accidentally turned it into a popup bomb. It was never my intention to insult you or make fun of you. If it came across that way to you, I apologize.

@earthling, I wasn’t at all in that scenario, I mean I never felt any fun on my back! Wow, we’ve got a communication problem :) I just meant to explain what had let me to this nonsense piece of code, not to complain about your explanation! No problem, none!

Are the top links of https://eztv.ag (such like “Home” or “Countdown List”) using this security issue?

After clicking around 3 times the top links something like below appears…. “javascript:window.opener=null;setTimeout(function(){window.location.href=’https://onderlea.info/S3djWTl0URcwXXZBU2APek9FK1wvSlJ/WCkDXmsfPUpSdwh7WVZtF39RFmQAKBZaO198QltsDXhBB2EBKBRTP1pzEVc4CS1HBm4JLlEFKgR6UQo/BHtREDQEf0ZFMgQ4HwwuSm5FUzZXJx4NPBx5RxAxVjxSUWlVIgQXfAt7AwwrSy4ZFyoceUcGI009UlFpSi4FCjxKbQUGPwQjAxcpSm5EInwLDVJRH1wxAxV3WCxSUR9KIxgUNVA4A0Zrf20UF2QIbRQXOgR8URAtSnZGRTZKOUoGI009WQI+HzsFDWQJbQ==’},250)”

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.